Merge branch 'main' into signals-reload-acl

This commit is contained in:
Kristoffer Dalby 2022-06-02 11:12:15 +02:00 committed by GitHub
commit f1db2d0c8e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 12 deletions

20
acls.go
View file

@ -250,16 +250,17 @@ func expandAlias(
} }
if strings.HasPrefix(alias, "tag:") { if strings.HasPrefix(alias, "tag:") {
owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain) // check for forced tags
if err != nil {
if errors.Is(err, errInvalidTag) {
for _, machine := range machines { for _, machine := range machines {
for _, t := range machine.ForcedTags { if contains(machine.ForcedTags, alias) {
if alias == t {
ips = append(ips, machine.IPAddresses.ToStringSlice()...) ips = append(ips, machine.IPAddresses.ToStringSlice()...)
} }
} }
}
// find tag owners
owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
if err != nil {
if errors.Is(err, errInvalidTag) {
if len(ips) == 0 { if len(ips) == 0 {
return ips, fmt.Errorf( return ips, fmt.Errorf(
"%w. %v isn't owned by a TagOwner and no forced tags are defined", "%w. %v isn't owned by a TagOwner and no forced tags are defined",
@ -267,23 +268,22 @@ func expandAlias(
alias, alias,
) )
} }
return ips, nil return ips, nil
} else { } else {
return ips, err return ips, err
} }
} }
// filter out machines per tag owner
for _, namespace := range owners { for _, namespace := range owners {
machines := filterMachinesByNamespace(machines, namespace) machines := filterMachinesByNamespace(machines, namespace)
for _, machine := range machines { for _, machine := range machines {
hi := machine.GetHostInfo() hi := machine.GetHostInfo()
for _, t := range hi.RequestTags { if contains(hi.RequestTags, alias) {
if alias == t {
ips = append(ips, machine.IPAddresses.ToStringSlice()...) ips = append(ips, machine.IPAddresses.ToStringSlice()...)
} }
} }
} }
}
return ips, nil return ips, nil
} }

View file

@ -1055,6 +1055,52 @@ func Test_expandAlias(t *testing.T) {
want: []string{"100.64.0.1", "100.64.0.2"}, want: []string{"100.64.0.1", "100.64.0.2"},
wantErr: false, wantErr: false,
}, },
{
name: "Forced tag with legitimate tagOwner",
args: args{
alias: "tag:hr-webserver",
machines: []Machine{
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.1"),
},
Namespace: Namespace{Name: "joe"},
ForcedTags: []string{"tag:hr-webserver"},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.2"),
},
Namespace: Namespace{Name: "joe"},
HostInfo: HostInfo{
OS: "centos",
Hostname: "foo",
RequestTags: []string{"tag:hr-webserver"},
},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.3"),
},
Namespace: Namespace{Name: "marc"},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.4"),
},
Namespace: Namespace{Name: "mickael"},
},
},
aclPolicy: ACLPolicy{
TagOwners: TagOwners{
"tag:hr-webserver": []string{"joe"},
},
},
stripEmailDomain: true,
},
want: []string{"100.64.0.1", "100.64.0.2"},
wantErr: false,
},
{ {
name: "list host in namespace without correctly tagged servers", name: "list host in namespace without correctly tagged servers",
args: args{ args: args{